CVE-2024-49035
published 2024-11-26CVE-2024-49035: An improper access control vulnerability in Partner.Microsoft.com allows an a unauthenticated attacker to elevate privileges over a network.
PriorityP187critical9.8CVSS 3.1
AVNACLPRNUINSUCHIHAH
KEVITW
CISA Known Exploited Vulnerabilitydue 2025-03-18
Exploited in the wild
EPSS
1.34%
67.8th percentile
An improper access control vulnerability in Partner.Microsoft.com allows an a unauthenticated attacker to elevate privileges over a network.
Affected
2 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| microsoft | microsoft_partner_center | — | — |
| msrc | microsoft_partner_center | — | — |
Detection & IOCsextracted from sources · hover to see the quote
- →The vulnerability targets Partner.Microsoft.com (Microsoft Partner Center) via improper access control, allowing unauthenticated privilege escalation over a network. Monitor for anomalous unauthenticated access attempts or unexpected privilege escalation events originating from or targeting partner.microsoft.com. ↗
- →This vulnerability is confirmed actively exploited in the wild (Exploitation Detected). Prioritize monitoring and response for any activity related to Microsoft Partner Center access control bypass. ↗
- →The fix is server-side only (Microsoft Power Apps online / Partner Center cloud service); no client-side patch is required. Detection should focus on network-level anomalies and audit logs for unauthorized privilege escalation in Partner Center. ↗
- ·No customer-side patch or configuration change is required; the fix is automatically deployed server-side by Microsoft to the Partner Center / Power Apps online service. ↗
- ·CISA BOD 22-01 guidance for cloud services applies; if mitigations are unavailable, discontinue use of the product. ↗
CVSS provenance
nvdv3.19.8CRITICALCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
vulncheck8.7HIGH
cisa9.8CRITICAL
vendor_msrc8.7HIGH
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
CISA
Microsoft Partner Center Improper Access Control Vulnerability
cisa·2025-02-25·CVSS 9.8
CVE-2024-49035 [CRITICAL] CWE-269 Microsoft Partner Center Improper Access Control Vulnerability
Vulnerability: Microsoft Partner Center Improper Access Control Vulnerability
Affected: Microsoft Partner Center
Microsoft Partner Center contains an improper access control vulnerability that allows an attacker to escalate privileges.
Required Action: Apply mitigations per vendor instructions, follow applicable BOD 22-01 guidance for cloud services, or discontinue use of the product if mitigations are unavailable.
Notes: https://msrc.microsoft.com/update-guide/vulnerability/CVE-2024-49035 ; https://nvd.nist.gov/vuln/detail/CVE-2024-49035
Remediation Due Date: 2025-03-18
Microsoft
Partner.Microsoft.Com Elevation of Privilege Vulnerability
vendor_msrc·2024-11-12·CVSS 8.7
CVE-2024-49035 [HIGH] CWE-269 Partner.Microsoft.Com Elevation of Privilege Vulnerability
Partner.Microsoft.Com Elevation of Privilege Vulnerability
Description: An improper access control vulnerability in Partner.Microsoft.com allows an a unauthenticated attacker to elevate privileges over a network.
FAQ: Why is no action required to install this update?
This CVE addresses a vulnerability in the Microsoft Power Apps online version only. As such, customers do not need to take any action because releases are rolled out automatically over several days. For more information about the releases for Microsoft Power Apps see What's new in Power Apps?.
Microsoft Partner Center: Microsoft Partner Center
Microsoft: Microsoft
Customer Action Required: No
Impact: Elevation of Privilege
Exploit Status: Publicly Disclosed:No;Exploited:Yes;Latest Software Release:Exploitation Detected
GHSA
GHSA-w69p-wm6c-5486: An improper access control vulnerability in Partner
ghsa_unreviewed·2024-11-26
CVE-2024-49035 [HIGH] CWE-269 GHSA-w69p-wm6c-5486: An improper access control vulnerability in Partner
An improper access control vulnerability in Partner.Microsoft.com allows an a unauthenticated attacker to elevate privileges over a network.
VulnCheck
Microsoft Partner Center Improper Access Control Vulnerability
vulncheck·2024·CVSS 8.7
CVE-2024-49035 [HIGH] CWE-269 Microsoft Partner Center Improper Access Control Vulnerability
Microsoft Partner Center Improper Access Control Vulnerability
Microsoft Partner Center contains an improper access control vulnerability that allows an attacker to escalate privileges.
Affected: Microsoft Partner Center
Required Action: Apply mitigations per vendor instructions, follow applicable BOD 22-01 guidance for cloud services, or discontinue use of the product if mitigations are unavailable.
Exploitation References: https://api.msrc.microsoft.com/cvrf/v3.0/cvrf/2024-Nov; https://msrc.microsoft.com/update-guide/en-US/advisory/CVE-2024-49035; https://www.cisa.gov/sites/default/files/feeds/known_exploited_vulnerabilities.json; https://cyble.com/resources/research-reports/global-cybersecurity-report/; https://www.loginsoft.com/reports/annually/vulnerability-intelligence-report-202
No detection rules found.
No public exploits indexed.
No writeups or analysis indexed.
2024-11-26
Published
2025-02-25
Added to CISA KEV
Exploited in the wild